I'm delighted to announce the publication today of our new guidance, Phishing Attacks: Defending Your Organisation.
Phishing represents a huge threat to everyone's online security, and the NCSC spends a lot of time combating it in different ways. This guidance is an important addition to our portfolio of anti-phishing measures.
Who is this guidance for?
This guidance is aimed at organisations of all sizes, in all sectors. Produced in collaboration with CPNI, government, academia and industry, it describes how to protect your organisation against email phishing threats, drawing on our knowledge and research across real working environments.
In keeping with other NCSC guidance, Phishing Attacks: Defending Your Organisation is not a set of hard rules. It is the starting point to help you decide your approach. We know that your organisation's anti-phishing capability depends on many things. If you can't implement all of our recommendations, try to address at least some of the mitigations from within each of the layers of defence you can see in the Infographic below. As a result, you'll be in a much better place to minimise the damage from those phishing attacks that do get through.
Infographic summary of a multi-layered approach to phishing defences
Why phishing guidance?
As you'll know if you've read our blog posts, the NCSC believes that user training can't ever entirely solve the phishing problem. In fact, there's a growing body of evidence* to suggest that focusing excessively on users' role in foiling phishing attacks can cause a great deal of organisational harm. It opens the door to a 'blame culture', and the establishment of punishments and sanctions for users who 'fail' at spotting phishes. The truth is that no matter how hard they may try, no users can spot all phishes all of the time. Punishing them doesn't make them magically able to do so, and it can often cause wider problems.
There's a bewildering amount of phishing training currently available, and frankly its quality and value is very variable. Fortunately, our colleagues at CPNI have carried out a great deal of phishing research and as a result, have produced an array of high-quality training materials to offer in their Don't Take The Bait campaign, as well as sensible accompanying advice on how to conduct this training in organisations.
We'd love to know what you think of this guidance. Please let us know by commenting below, through our contact us page, or via your usual NCSC contact.
* 1. Kirlappos, I; Sasse, MA; (2015) Fixing Security Together: Leveraging trust relationships to improve security in organizations. In: Proceedings of the NDSS Symposium 2015. Internet Society: San Diego, CA, USA.
* 2. Capelli, D; Desai, A G; Moore, A P; Shimeall; T J; Weaver, E A; Willke, B J; (2008) Management and Education of the Risk of Insider Threat (MERIT): System Dynamics Modeling of Computer System.